Everyone loves Web 2.0 applications. They are easy to use and fast, and can be accessed from any computer or smartphone without installation. They let us easily communicate and share data with one another, shop simply, and access vast amounts of information. However, they're also frequently mentioned in connection with novel exploits, data leaks, or identity theft. Active content, tight integration, and the overall complexity of the continuously evolving Web 2.0 technology create new risks that we can hardly grasp. Turning back on the technology is not a solution because we would lose many features that we've come to rely on. But how can we achieve both a pleasant user experience and security in a place as messy as the Web 2.0 landscape? First, we can look to understand the wide range of attacks as well as the complex security situation and attack surface of Web 2.0 applications. Second, we can study the open research challenges in this field and assess how best to approach these issues.